A v2 pack index file can specify an offset within a packfile
of up to 2^64-1 bytes. On a system with a signed 64-bit
off_t, we can represent only up to 2^63-1. This means that a
corrupted .idx file can end up with a negative offset in the
pack code. Our bounds-checking use_pack function looks for
too-large offsets, but not for ones that have wrapped around
to negative. Let's do so, which fixes an out-of-bounds
access demonstrated in t5313.
Signed-off-by: Jeff King <peff@xxxxxxxx>
---
sha1_file.c | 2 ++
t/t5313-pack-bounds-checks.sh | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/sha1_file.c b/sha1_file.c
index d2ffd92..9d223e6 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1076,6 +1076,8 @@ unsigned char *use_pack(struct packed_git *p,
die("packfile %s cannot be accessed", p->pack_name);
if (offset > (p->pack_size - 20))
die("offset beyond end of packfile (truncated pack?)");
+ if (offset < 0)
+ die("offset before end of packfile (broken .idx?)");
if (!win || !in_window(win, offset)) {
if (win)
diff --git a/t/t5313-pack-bounds-checks.sh b/t/t5313-pack-bounds-checks.sh
index 0717746..a8a587a 100755
--- a/t/t5313-pack-bounds-checks.sh
+++ b/t/t5313-pack-bounds-checks.sh
@@ -136,7 +136,7 @@ test_expect_success 'bogus offset into v2 extended table' '
test_must_fail git index-pack --verify $pack
'
-test_expect_failure 'bogus offset inside v2 extended table' '
+test_expect_success 'bogus offset inside v2 extended table' '
# We need two objects here, so we can plausibly require
# an extended table (if the first object were larger than 2^31).
do_pack "$object $(git rev-parse HEAD)" --index-version=2 &&
--
2.7.2.695.gf3fde8e
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html